Transparent Encryption in Git
Go to file
Adrian 6384c7bcea Simplify structure, update Readme 2015-10-30 14:33:02 +01:00
.gitcrypt Simplify structure, update Readme 2015-10-30 14:33:02 +01:00
.gitattributes Encrypted Repository using GitCrypt 2015-10-28 14:13:57 +01:00 Simplify structure, update Readme 2015-10-30 14:33:02 +01:00

Transparent Encryption in Git

Store files encrypted, have them decrypted only in the working directory.

Simply clone this repository to create an encrypted one.

OpenSSL is needed.

Tested in Linux and Git for Windows 2.6.

Thanks for Woody Gilk's tutorial which served as a starting point.


  1. Before using GitCrypt the first time, register the filters:

     git config --global filter.gitcrypt.smudge .gitcrypt/dec
     git config --global filter.gitcrypt.clean .gitcrypt/enc
     git config --global diff.gitcrypt.textconv .gitcrypt/diff

    If this step is omitted, files get added unencrypted silently. However, it is not needed, if GitCrypt has been used before.

  2. Imagine a repository password. It is either expected in the environment variable $GITCRYPT_PASS, or in the file .git/pass (which is ignored by Git).

    Hint: You can enter the password safely by using the command: read -s GITCRYPT_PASS

  3. After that, generate a salt:



After installation, Git can be used as is. Any file can be replaced (including this README) and it will be stored encrypted, except:

  • .gitattributes
  • .gitcrypt/*


  • Question: How can the salt or password be changed?

    Answer: Just edit .gitcrypt/salt or .gitcrypt/pass. After that, all files have to be forcibly re-added:

     rm .git/index
     git add .

    Note that it is not sufficient to change the password, if it has been compromised. Old versions of the files can still be decrypted, since they remain encrypted using the old password in the Git history.

  • Question: Why do errors like the following occur when cloning the repository:

     error: external filter .gitcrypt/dec failed

    Answer: It seems that GitCrypt has been used previously and the filters are already registered globally. Git tries to decrypt files in this repository which are not encrypted.

    The errors can be ignored.

  • Question: Why another version besides git-encrypt and git-crypt?

    Answer: First and foremost for me to learn something. But as an admirer of the KISS principle, I felt that it should be even easier and less code.